The virus is active in local mode "safe mode"

Nowadays the local spread of the virus have been increasingly rapidly, they compete in the race to create a virus variants so-barupun variants appear with a few modifications in the script that they be ready for the new variants attack anyone and at any time, despite the media of spreading used simple but still proved effective this by increasing the number of users who use the media diskette / USB. USB is now increasingly popular among the computer users because it is easy to take and have more capacity from the diskette and have a small size, with the trend like this apparently used by a small part of the media as a suitable and easy to spread the virus that they made, then born viruses local now that we know this.

The development of local viruses have been detected since long time since the virus Pesin, from there begins to appear viruses local Lavist A new, nostalgic, riyanni_jangkaru aau Tabaru, mustache, and Fawn yosa last Rontokbro, is part names that virus had local become a "scourge" in a few months ago, although most have antivirus software can recognize the virus but because of limited distribution dilingkungan certain if there are variants of the virus will be difficult to detect because of the processing should use antivirus software, which has the support of local support. From the many viruses that are local only 3 virus that successfully return to the Rontokbro, nostalgic and Fawn. But from 3 types of the virus was only able to provide Rontokbro the loss of large compared with that of other local virus.

Kelemah Safemode successfully Rontokbro known.

Rontokbro is the type of virus that can be the first local spread through email with a different virus another local that can only be spread through dikset / USB, Computers infected Rontokbro will restart this is the same as that done by the virus mustache and Sasser virus / Blaster, the difference between a computer Rontokbro infected will restart the program if you run a certain application, such as regedit, msconfig or task manager, up-date pacth that you do not bring any impact because the virus does not exploit this rift security as done by the Sasser / Blaster process is not restartnya raise the count backwards, as done by the virus Sasser / Blaster, one of the advantages of the virus into the computer where, although in a position "safe mode" restart the computer will still run the program if applications such as regedit, even when running msconfig tools such as pocket Killbox or HijackThis , Where we know if the computer running mode in "safe mode" that menginfeksi computer virus is not active, but not the case with Rontokbro a remarkable progress that the team apparently manufacturer Rontokbro already know that there is a point of weakness in the mode "safe mode", and why this is not used by the virus non-local they did not have the experience and knowledge that much more? Another thumbs up to the manufacturer Rontokbro.

Based on monitoring done by Vaksincom (www.vaksin.com) many users are infected with the virus Rontokbro, this is evidenced by the large number of users who consult with Vaksincom either through email, phone or forum Vaksincom http://forum.vaksin.com of the complaints some complained of their computer infected with the virus Rontokbro N variants of the virus which causes the computer will restart in the position despite "safe mode" even though, because the team Vaksincom try to give a few tricks and tips that can be used to overcome the virus Rontokbro especially for those who not to use Norman Virus Control, so can not identify with either variant).

Before the problem of how to do the cleaning Rontokbro way it's good to know in general what is done by Rontokbro.

Files infected Rontokbro.N have a size of 42kb, but with a folder icon with the extension EXE, if run will make some of the files is
1. C: \ Windows with the file name eksplorasi.exe (hidden)
2. C: \ Windows \ shellnew with the name sempalong.exe (hidden)
3. C: \ Windows \ system32% username with the name "s Setting.scr (hidden)
4. C: \ Documents and Settings \% user% \ Local Settings \ Application Data with the file name
- Bron.tok-x-y, where x and y figures show
- Loc.Mail.Bron.Tok, contains the email address obtained from the infected computer
- Ok-sendmail-Bron-noise, which contains the email sent successfully
- Csrss.exe
- Inetinfo.exe
- Kosong.Bron.Tok.txt
- Lsass.exe
- NetMailTmp.bin
- Services.exe
- Smss.exe
- Update.3.Bron.Tok.bin
- Winlogon.exe
5. C: \ Documents and Settings \ bagle \ Start Menu \ Programs \ Startup file name
- Empty
6. C: \ Documents and Settings \%% Users \ Templates
- Brengkolang.com
7. Create a file in each folder where the file has the same name as the folder with the characteristics:
- Icon used such Folders
- The size of the file 42 Kb
- Extension. EXE



Rontokbro will also make changes to the file C: \ AUTOEXEC.BAT add the command line with the "Pause"

To be so active Rontokbro can start the computer, it will create some registry registry key is:
1. Bron-Spizaetus
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
2. Tok-Cirrhatus
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
3. Shell Explorer.exe with the value "C: \ Windows \ Eksplorasi.exe"
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon,

Disable Registry editor
Like most viruses that exist, this virus will also be possible to disable the program, which can shorten the existence of "them" among the registry editor to add a registry key:

a. DisableRegistryTools = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

If the registry editor will run the error message:

b. DisableCMD
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

In addition to adding string in the registry key, in the virus will also add the option in the [startup] on the msconfig.

---- Sempalong
---- Smss
---- Empty


Hide Folder Options

Apparently the virus is learning from colleagues, which will eliminate this virus [folder options] on the [tools] in the [Windows Explorer], so that the user will not be able to display each file that is hidden (hidden) by the virus, with a string add value :

1. "NoFolderOptions" = dword: 00000001
on the registry key
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer



Rontonbrojuga will create a task schedule on the windows where the schedule will run every hour 5:08 PM, with files that are run didirektori:

2. C: \ Documents and Settings \%% Users \ Templates

Restart the Automatic Computer
One of the advantages that are owned by Rontokbro can cause a computer restart, please do not patch up-date can resolve this problem, this is because Rontokbro not exploit the grip of security as that is normally used by the Sasser or Blaster virus.

Rontokbro will restart the computer if you try to run a particular program such as regedit, msconfig even if you run the software as a replacement Task manager pocket Killbox even HijackThis and one of the advantages that are owned by their ability to restart the computer mode, although in "safe mode" walapun, by because the tricks needed to handle the problem. likely manufacturer Rontokbro always follow advice and the development of the past so that it will become increasingly difficult because eradicated always update themselves.

Rontokbro will take all email addresses in the file that contains ext.
a. asp
b. cfm
c. csv
d. doc
e. eml
f. html
g. php
h. txt
I. wab

In addition to spread via email, Rontokbro also be spread through Floppy disk / USB to create a file in the folder / subfolder of didisket / USB cable or the root itself, the files that have created these characteristics:

a. Resembles a folder icon
b. Size 42 Kb
c. Ext. EXE

Rontokbro will also try to make a connection by sending ping request to one of the sites, such as adult and kaskus.com 17tahun.com, this is one of the factors that can slow the computer system, but because of the spread of internet connection in Indonesia is still relatively slow, the impact of this will feel less dialup users in the home because it is not always connected, and the biggest impact on access to the two sites will be far-reaching if the computer is infected Ronrokbro home computers that have broadband connections and always connected to the Internet, Garnet or office computer that is always connected to the Internet.

As antivirus, Rontokbro also try to up-date to one of the sites that have been determined, so do not dally should up-date antivirus software so that you do not become the next victim and do not forget that not in vain to exchange data via floppy / usb one that tips may be useful is to identify the type of file that will run, and an effort to always show ekstesi from the file in order to know the type of file. One effective way to prevent Rontokbro is to use antivirus software, which provides local support so that the definition can complement the new emerging variants Rontokbro that up to now still continue to be.

How to clean Rontokbro

1. Make cleaning through the "safe mode"
2. Turn off the virus

To turn the process should not use the program pocket killbox or HijackThis because the computer will restart immediately if you are going to run these tools, we recommend using other tools such as PROCEXP.EXE which can be downloaded at the site http://www.sysinternals.com/Utilities / ProcessExplorer.html

Remove the process by "right-click the name of the process" and select "kill prosess tree," so that no one in the search process of elimination that the icon has "folders", such as:
- Smss.exe
- Services.exe
- Winlogon.exe

Note:
Or you can also perform the following steps:

a. Restart the computer and in the mode "safe mode with command prompt, by pressing the button [F8] when the computer restarts, this meant that the virus is not active Rontokbro position on the" safe mode "and did not restart the computer during the cleaning process.

b. After the entry mode "Command Prompt" press the [CTRL] + [ALT] + [Del] simultaneously, then select [Task Manager], after the Task Manager screen appears, click the [File] select [New Task (Run..) , Then type [explorer] on the window [create new task file] then click enter.

c. Then the desktop screen will appear (fashion shows into "safe mode")

d. Reactivate the registry editor and remove the string that is created by the virus, write the script, as is the number [3], and then save a file name "repair.inf", and after that run the file with the way: right-click the file [repair.inf ] Kemudiani select [install]

e. Delete option [Smss], [Empty] and [Sempalong] in the msconfig in the tabulation [startup)

f. That "folder option" in Windows Explorer may appear, restart the computer again and do as steps on the point (a and b)

G. After the computer into a mode "safe mode" show all files that disembuyikan (do this change in the "folder options", see the image on the point [5], follow the instructions selanjunya cleaning Rontokbro such as the PDA-point (6-9)

3. Write the following script and save the file name notepade give repair.inf, run the file (right click [repair.inf]
select [install]), this is intended to function again mengqaktifkan registry editor, showing again [folder option]
and remove the string that was created by virus

[Version]
Signature = "$ $ Chicago"
Provider = Vaksincom

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"

[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, Tok-Cirrhatus
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Bron-Spizaetus
4. Restart the computer and go back to the mode "safe mode" not to posiosi "normal" because the file from the parent virus
This is still there (eksplorasi.exe and sempalong.exe)
5. Show hidden files that do this change in [the folder Option]



6. Remove files created by Rontokbro
- C: \ Windows, with the file name eksplorasi.exe (hidden)
- C: \ Windows \ shellnew, with the name sempalong.exe (hidden)
- C: \ Windows \ system32, with the names% username "s Setting.scr (hidden)
- C: \ Windows \ PSS, with the file name [Empty.pifStartup]
- C: \ Documents and Settings \% user% \ Local Settings \ Application Data with the file name
- Bron.tok [x] - [y], where [X] and [Y] shows the numbers
- Loc.Mail.Bron.Tok
- Ok-sendmail-Bron-noise
- Csrss.exe
- Inetinfo.exe
- Kosong.Bron.Tok.txt
- Lsass.exe
- NetMailTmp.bin
- Services.exe
- Smss.exe
- Update.3.Bron.Tok.bin
- Winlogon.exe

7. Re-edit autoexec.bat file in the directory C: \ and delete the command line [pause]
8. Remove Scheduled tasks created by Rontokbro (click [Start], [Settings], [Control Panel],
2, and then click the [Scheduled tasks].
9. Remove files created by the virus, for more rapid use facilities [serach]
Click [Start]
Click [Search], and then click [For Files or Folders]
Then select [All files or Folders]
Click the option [What size is it?]
Then select the option [specify Size (in Kb)]
In the combo box, select [at most] kemdian content of the file size with the number [43], then click [Search]
After the search is finished, sorted by size (size), then delete the files that have the size of 42 kb,
do not occur until the elimination of errors in the file because some files that have the size of the windows
42 kb, find the file folder icon with the extension. EXE, such as the image below:



10. For faster clearance should you use antivirus software that can recognize Rontokbro.N do not forget
updated antivirus software installed, as Norman antivirus information with up-to date have been the last menganali
This virus engan good.

Tips
Here are some tips and tricks that can be used from any virus attack local

1. Do not make vain in the exchange of data via floppy / usb
2. Patikan diskette / USB from the net with the virus scan on a diskette / usb before use.
3. Know jensi file that will run
4. Extensi used to display files, this is meant to know the type of files before you run.
5. Diligently follow the progress of the virus
6. Install antivirus software that has the support of local support and up-date automatically